Analysis Date2014-08-23 15:50:53
MD57e4667cb48347c7a4521b4e09beb3ddd
SHA1f878b75fb5d31f3a3ff3aac2f830e3ef8b5805a4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 72edfdb52d3bc7c9f2a34f667ce126ad sha1: 679e7c3970bad973ef8df4f0e807224decf2b91a size: 20480
Section.rdata md5: 1e43b9e199f227725d4f024d0ab6beb1 sha1: f9f85bb9586938dc18ec05f1bb4ef629c0c8e036 size: 4096
Section.data md5: 56916919e883f78ea960b7124843d13f sha1: d9935718edea97b448821ed419ee6ddbacc692c8 size: 155648
Section.idata md5: efcf4a13aa0aca0d5b3bda58a822a94c sha1: 2a947e09cde5900880a500126faa10a6384ff635 size: 4096
Section.rsrc md5: f68d9b8b64c51aa7b190f3ac6cb748b1 sha1: d9f3ed63f692622bb9c5f5362d796dee36dd50aa size: 4096
Section.reloc md5: 5516b373712c0b435c9787400f456179 sha1: bf79211bfcc554518fa19ec04e45d114e8bc5410 size: 4096
Timestamp2014-07-29 09:35:40
PackerMicrosoft Visual C++ v6.0
PEhashbb167d138599a2d8ef4791a246500cdf2501f8c8
IMPhashd30607e53015c77d616d50ebfe6e219d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ConnectGroup ➝
\\xb5\\xdb\\xb9\\xfa\\x00
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\FCT.scr
Creates File\Device\Afd\Endpoint
Creates MutexC:\malware.exe
Creates MutexDBWinMutex

Network Details:

DNSqq834356673.f3322.org
Type: A
192.210.53.21
Flows TCP192.168.1.1:1031 ➝ 192.210.53.21:1986
Flows TCP192.168.1.1:1032 ➝ 192.210.53.21:1986
Flows TCP192.168.1.1:1033 ➝ 192.210.53.21:1986
Flows TCP192.168.1.1:1034 ➝ 192.210.53.21:1986
Flows TCP192.168.1.1:1035 ➝ 192.210.53.21:1986
Flows TCP192.168.1.1:1036 ➝ 192.210.53.21:1986

Raw Pcap
0x00000000 (00000)   46554c4c 522001                       FULLR .

0x00000000 (00000)   46554c4c 522001                       FULLR .

0x00000000 (00000)   46554c4c 521f01                       FULLR..

0x00000000 (00000)   46554c4c 522001                       FULLR .

0x00000000 (00000)   46554c4c 521f01                       FULLR..

0x00000000 (00000)   46554c4c 521f01                       FULLR..


Strings
IsBadReadPtr
.
.
$
.

****************************************
0$0(0,000<0@0X1p1
$0*040F0L0e0k0u0
02,2024202{
02,2024202s
024202
024202{
024202,2024202
024202,2024202{
024202,2024202H
024202H
024202L2024202{
024202L2024202}
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1/151;1B1M1W1]1
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??1type_info@@UAE@XZ
??1_Winit@std@@QAE@XZ
2024202
2024202{
2024202}
2024202H
2024202Hf
2024202{s
2024202}s$
2024202{sT
2$292]2c2j2~2.343:3A3L3R3X3]3d3o3u3{3
24202{
24202,2024202}sh
24202H6
24202}s
??2@YAPAXI@Z
334I5j5
3nlnhnln
3nlnhnlnpnlnhnln
3nlnhnlnpnlnhnln{/
3nlnhnlnpnlnhnln2
3nlnhnlnpnlnhnlnH
3nlnhnlnPnlnhnlnH
3nlnhnlnpnlnhnlnq
3nlnhnlnpnlnhnlns
??3@YAXPAX@Z
4202L2024202
4202L2024202{
4	4+414:4@4G4R4Y4d4
?"?(?.?4?:?@?F?P?U?y?
5#5.5J5P5V5]5h5q5w5}5
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
6 6$6G6d6n6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
7&7@7~7
860100371
8 8)81878D8Q8Z8b8h8p8z8
9(9.979@9F9O9W9]9c9
_acmdln
_adjust_fdiv
age:%d
.?AVtype_info@@
="=(=.=;=B=G=p=u=
birthplace:%s
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
CloseHandle
Cnlnhnln
_controlfp
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
CreateFileA
__CxxFrameHandler
_CxxThrowException
@.data
__dllonexit
?'?/?<?D?Q?Y?f?q?
DURTV	
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
enter age:
enter birthplace:
enter name:
enter number:
_except_handler3
ExeProcesstest
FreeLibrary
FWTJTw
G78":9)
getchar
__getmainargs
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
HeapAlloc
HeapFree
=hnln{
=hnln3nlnhnlnpnlnhnln{
=hnlnH
hnlnpnlnhnln
=hnlnpnlnhnln
=hnlnpnlnhnln{
=hnlnPnlnhnln{
hnlnpnlnhnlnH
=hnlnpnlnhnlnq
hnlnpnlnhnlns
hnlnPnlnhnlns
hnlnpnlnhnlu
=hnlns
.idata
_initterm
j	h0fB
j	h<fB
KERNEL32.dll
 key: 
L2024202{
lnhnln
^=lnhnln
^=lnhnln{
=lnhnln
=lnhnln{
lnhnln{
lnhnlnpnlnhnln
=lnhnlnpnlnhnln
=lnhnlnpnlnhnln{
=lnhnlnpnlnhnlnq
=lnhnlnpnlnhnlns
=lnhnlnPnlnhnlns
[=lnhnlnq
=lnhnlns
lnpnlnhnln
=lnpnlnhnln
lnPnlnhnln
=lnPnlnhnln
lnPnlnhnln{
lnpnlnhnlnq
=lnpnlnhnlnq
lnPnlnhnlnq
=lnPnlnhnlnq
=lnpnlnhnlns
=lnPnlnhnlns
=lnpnlnhnlnz
LoadLibraryA
malloc
memcpy
memset
MSVCP60.dll
MSVCRT.dll
?n3nlnhnlnpnlnhnln
name:%s
?nhnln
?nhnln{
nhnln{
nhnlnpnlnhnln
?nhnlnpnlnhnln
?nhnlnpnlnhnln{
nhnlnpnlnhnln{
nhnlnPnlnhnln
?nhnlnPnlnhnln
nhnlnpnlnhnlnq
?nhnlnpnlnhnlnq
?nhnlnPnlnhnlnq
?nhnlnpnlnhnlns
nhnlnq
?nhnlnq
nhnlns
?nhnlns
nlnhnln
#nlnhnln
#nlnhnln{
nlnhnln{
nlnhnln{?;
nlnhnlnH
nlnhnlnP
nlnhnlnpnlnhnln
nlnhnlnPnlnhnln
`nlnhnlnpnlu
nlnhnlnq
#nlnhnlnq
nlnhnlns
#nlnhnlns
nlnpnlnhnln
;nlnpnlnhnln{
;nlnPnlnhnln{
;nlnpnlnhnlnq
;nlnPnlnhnlnq
;nlnpnlnhnlns
npnlnhnln
?npnlnhnln
?npnlnhnln{
?nPnlnhnln
?nPnlnhnln{
?npnlnhnlnq
?nPnlnhnlnq
nPnlnhnlns
?nPnlnhnln{wP
?npnlnhnlnz
num:%ld
_onexit
__p__commode
__p__fmode
pnlnhnln
=pnlnhnln
=pnlnhnln{
pnlnhnln{
Pnlnhnln
=Pnlnhnln
=Pnlnhnln{
pnlnhnln`nlnhnln
pnlnhnlnq
=pnlnhnlnq
Pnlnhnlns
Pnlnhnlnz
print 'e' to add record:
printf
qq834356673.f3322.org
`.rdata
realloc
record number %d
@.reloc
Rysj.Dat
__set_app_type
__setusermatherr
_stricmp
?terminate@@YAXXZ
!This program cannot be run in DOS mode.
type 'e' to enter new record,
type 'i' to insert  a  record:
type 'l' to list all records,
(u6u2	*
u7u$u1u
u7wLjh
USER32.dll
u-u=}9
(V3 JEEE
VirtualAlloc
VirtualFree
VirtualProtect
w1{.w'
w\3(C[O
w3s&w/
WriteFile
wsprintfA
_XcptFilter
Y=lnhnln{